*3> 



© 




Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



■111 



© Publication number: 



0 417 889 A* 



EUROPEAN PATENT APPLICATION 



© Application number: 90307301.3 
© Date of filing: 04.07.90 



The title of the invention has been amended 
(Guidelines for Examination in the EPO, A-IH, 

7.3). 

© Priority: 25.08.89 US 398820 

© Date of publication of application: 
20.03.91 Bulletin 91/12 

© Designated Contracting States: 

AT BE CH DE DK ES FR GB IT LI NL SE 

© Applicant: International Business Machines 
Corporation 
Old Orchard Road 
Armonk, N.Y. 10504(US) 

© Inventor: Bealkowski, Richard 



© int CIA G06F 9/445 



1401 Hummingbird Drive 

Delray Beach, Florida 33444-1 033( US) 

Inventor: Blackledge, John Wiley, Jr. 

304 Sequoia Lane 

Boca Raton, Florida 33487(US) 

Inventor: Cronk, Doyle Stanfill 

6830 Town Harbor Boulevard No 3525 

Boca Raton, Florida 33433{US) 

Inventor Dayan, Richard Alan 

830 NE 73 Street 

Boca Raton, Florida 33487{US) 

© Representative: Burt, Roger James, Dr. 
IBM United Kingdom Limited Intellectual 
Property Department Hursley Park 
Winchester Hampshire SQ21 2JN(GB) 



© Computer system with program protection apparatus. 



© An apparatus and method for protecting BIOS 
stored on a direct access storage device (62) into a 
personal computer system (10). The personal com- 
puter system (JO) comprises a system processor 
(26), a system planar (24), a random access main 
memory (32), a read only memory (36), a protection 
means and at least one direct access storage device 
(62). The read only memory (36) includes a first 
portion of BIOS and data representing the type of 
system processor (26) and system planar (24) I/O 
configuration. The first portion of BIOS initializes the 
<^j, system (10) and the direct access storage device 
^ (62), and resets the protection means in order to 
@§) read in a master boot record into the random access 
€9 memory (32) from a protectable partition on the 
direct access storage device (62). The master boot 
*f= record includes a data segment and an executable 
^f 3 code segment. The data segment includes data re- 
@ presenting system hardware and a system configu- 
ration which is supported by the master boot record. 
g]j The first BIOS portion confirms the master boot 
record is compatible with the system hardware by 



verifying that the data from the data segment of the 
master boot record agrees with the system proces- 
sor (26), system planar (24), and planar (24) I/O 
configuration. If the master boot record is compatible 
with the system hardware, the first BIOS portion 
vectors the system processor (26) to execute the 
executable code segment of the master boot record. 
The executable code segment confirms that the sys- 
tem configuration has not changed and loads in the 
remaining BIOS portion from the same protectable 
partition on the direct access storage device (62) 
into random access memory (32). The executable 
code segment then verifies the authenticity of the 
remaining BIOS portion and vectors the system pro- 
cessor (26) to begin executing the BIOS now in 
random access memory. BIOS, executing in random 
access memory (32), then activates the protection 
means to prevent further access to the protectable 
partition. BIOS boots up the operating system to 
begin operation of the personal computer system. 
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COMPUTER SYSTEM 



The present invent ion relates to a computer 
system and in particular to apparatus for protecting 
BIOS stored on a mass storage device in the 
computer system. 

Personal computer systems in general have 
attained widespread use for providing computer 
power to many segments of today's modem soci- 
ety. Personal computer systems can usually be 
defined as a desk top, floor standing, or portable 
microcomputer that consists of a system unit hav- 
ing a single system processor, a display monitor, a 
keyboard, one or more diskette drives, a fixed disk 
storage, and an optional printer. One of the distin- 
guishing characteristics of these systems is the use 
of a motherboard or system planar to electrically 
connect these components together. These sys- 
tems are designed primarily to give independent 
computing power to a single user and are inexpen- 
sively priced for purchase by individuals or small 
businesses. Examples of such personal computer 
systems include the IBM PERSONAL COMPUTER 
AT and the IBM PERSONAL SYSTEM/2 Models 
30. 50, 60, 70 and 80. 

These systems can be classified into two gen- 
eral families. The first family, usually referred to as 
Family I Models, use a bus architecture exempli- 
fied by the IBM PERSONAL COMPUTER AT. The 
second family, referred to as Family II Models, use 
MICROCHANNEL bus architecture exemplified by 
the IBM PERSONAL SYSTEM/2 Models 50 through 
80. 

In early examples of family I personal com- 
puter systems such as the IBM Personal Com- 
puter, it was recognised that software compatibility 
would be of utmost importance. In order to achieve 
this goal, an insulation layer of system resident 
code, also referred to as "microcode", was estab- 
lished between the hardware and software. This 
code provided an operational interface between a 
user's application program/operating system and 
the device to relieve the user of the concern about 
the characteristics of hardware devices. Eventually, 
the code developed into a Basic Input/Output sys- 
tem (BIOS), for allowing new devices to be added 
to the system, while insulating the application pro- 
gram from the peculiarities of the hardware. The 
importance of BIOS was immediately evident be- 
cause it freed a device driver from depending on 
specific device hardware characteristics while pro- 
viding the device driver with art intermediate inter- 
face to the device. Since BIOS was an integral part 
of the system and controlled the movement of data 
in and out of the system processor, it was resident 
on the system planar and was shipped to the user 
in a read only memory (ROM). For example, BIOS 



in the IBM Personal Computer occupied 8K of 
ROM resident on the planar board. 

As new models of the personal computer fam- 
ily were introduced, BIOS had to be updated and 
5 expanded to include new hardware and I/O de- 
vices. As could be expected, BIOS started to in- 
crease in memory size. For example, BIOS in the 
IBM PERSONAL COMPUTER AT, occupied 32K 
bytes of ROM. 

10 Today, with the development of new technol- 

ogy, personal computer systems of the Family II 
models are growing even more sophisticated and 
are being made available to consumers more fre- 
quently. Since the technology is rapidly changing 

75 and new I/O devices are being added to the per- 
sonal computer systems, modification to the BIOS 
has become a significant problem in the develop- 
ment cycle of the personal computer system. 

For instance, with the introduction of the IBM 

20 Personal System/2 with MICROCHANNEL architec- 
ture, a significantly new BIOS, known as advanced 
BIOS, or ABIOS, was developed. However, to main- 
tain software compatibility, BIOS from the Family I 
models had to be included in the Family II models. 

25 The Family i BIOS became known as Compatibility 
BIOS or CBIOS. However, as previously explained 
with respect to the IBM PERSONAL COMPUTER 
AT, only 32K bytes of ROM were resident on the 
planar board. Fortunately, the system could be 

30 expanded to 96K bytes of ROM. Unfortunately, 
because of system constraints, this turned out to 
be the maximum capacity available for BIOS. Luck- 
ily, even with the addition of ABIOS, ABIOS and 
CBIOS could still squeeze into 96K of ROM. How- 

35 ever, only a small percentage of the 96K ROM area 
remained available for expansion. With the addition 
of future I/O devices, CBIOS and ABIOS will even- 
tually run out of ROM space. Thus, new I/O tech- 
nology will not be able to be easily integrated 

40 within CBIOS and ABIOS. 

Due to these problems, plus the desire to 
make modifications in Family II BIOS as late as 
possible in the development cycle, it became nec- 
essary to off load portions of BIOS from the ROM. 

45 This was accomplished by storing portions of BIOS 
on a mass storage device such as a fixed disk. 
Since a disk provides writing as well as reading 
capabilities, it became feasible to modify the actual 
BIOS code on the disk. The disk, while providing a 

so fast and efficient way to store BIOS code, never- 
theless greatly increased the probability of the 
BIOS code being corrupted. Since BIOS is an 
integral part of the operating system, a corrupt 
BIOS could lead to devastating results and in many 
cases to complete failure and non-operation of the 
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system. Thus, it became quite apparent that a 
means for preventing unauthorized modification of 
the BIOS code on the fixed disk was highly de- 
sireable. 

An aim of the present invention is to provide a 
computer system having apparatus for preventing 
unauthorized changes to BIOS stored on a direct 
access storage device in the computer system. 

In accordance with the present invention, there 
is now provided a computer system comprising: a 
system processor; a read only memory; a random 
access main memory; and at least one direct ac- 
cess storage device capable of storing a plurality of 
data records; characterised in that the system fur- 
ther comprises: initialising means included in the 
read only memory for initialising the system pro- 
cessor and for generating a reset signal to the 
direct access storage device to permit access to 
the data records; loading means for loading data 
records from the direct access storage device into 
main memory, the loading means being stored in a 
protectable partition of the direct access storage 
device, the loading means being read from the 
direct access storage device into main memory by 
the initialising means wherein the initialising means 
activates the loading means; a main memory resi- 
dent program image being stored in the protectable 
partition of the direct access storage device, the 
main memory resident program image being read 
from the direct access storage device into main 
memory by the loading means to produce a main 
memory resident program; protection means for 
protecting the protectable partition of the direct 
access storage device, the protection means being 
activated by the main memory resident program to 
prevent unauthorized access to the loading means 
and the main memory resident program image. 

Viewing the present invention from a second 
aspect, there is now provided, an apparatus for 
protecting BIOS in a personal computer system, 
the personal computer system having a system 
processor for executing an operating system, a 
read only memory, a random access memory, and 
at least one direct access storage device, the ap- 
paratus comprising: a direct access storage device 
controller having a protection means for protecting 
a region of the direct access storage device, the 
protection means allowing access to the protected 
region in response to a reset signal; a master boot 
record included in the protected region of the di- 
rect access storage device, the master boot record 
including an executable code segment having 
means for loading information from the direct ac- 
cess storage device; a first portion of BIOS being 
included in the read only memory, the first portion 
of BIOS initializing the system processor and ini- 
tiating generation of the reset signal to the direct 
access storage device controller to permit the sys- 



tem processor to access the master boot record in 
order to load the master boot record into random 
access memory; a remaining portion of BIOS being 
included in the protected region of the direct ac- 

5 cess storage device, the remaining portion of BIOS 
being loaded into random access memory by the 
executable code segment in response to the first 
portion of BIOS transferring control to the execut- 
able code segment, the executable code segment 

10 transferring control to the remaining portion of 
BIOS to boot the operating system, the remaining 
portion of BIOS activating the protection means to 
prevent access to the protected region of the direct 
access storage device during normal operations of 

75 the operating system. 

Viewing the present invention from a third as- 
pect, there is now provided an apparatus for pro- 
tecting a system resident program in a personal 
computer system, the personal computer system 

20 having a system processor, a read only memory, a 
main memory, and at least one direct access stor- 
age device capable of storing a plurality of data 
records, the apparatus comprising: a first program 
being included in the read only memory, the first 

25 program initializing the system processor, the first 
program further initiating the generation of a reset 
signal to the direct access storage device to permit 
access to the data records; a loading means for 
loading data records from the direct access storage 

so device into main memory, the loading means being 
stored in a protectable partition of the direct access 
storage device, the loading means being read from 
the direct access storage device into main memory 
by the first program, wherein the first program 

35 activates the loading means; a main memory resi- 
dent program image being stored in the protectable 
partition of the direct access storage device, the 
main memory resident program image being read 
from the direct access storage device into main 

40 memory by the loading means to produce a main 
memory resident program; means for protecting 
the protectable partition of the direct access stor- 
age device, the protection means being activated 
by the main memory resident program to prevent 

45 unauthorized access to the loading means and the 
main memory resident program image. 

Viewing the present invention from fourth as- 
pect, there is now provided a device for preventing 
the unauthorized access of BIOS stored in a mass 

so storage device in a personal computer system hav- 
ing a system processor, the mass storage device 
capable of storing a plurality of data blocks defined 
between a first and second data block extreme, 
BIOS being accessible by the system processor in 

55 the form of individual definable contiguous blocks 
of data, BIOS extending from a third data block 
extreme to a fourth data block extreme, the third 
and fourth extremes being bounded by the first and 
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second extremes, the device comprising: (a) con- 
troller device coupled between the system proces- 
sor and the mass storage device for transforming 
an input or output request from the system proces- 
sor to physical characteristics of the mass storage 
device, the input/output requests being in the form 
of individual definable contiguous blocks of data; 
(b) first logic means for initiating the generation of 
a reset signal; (c) second logic means for generat- 
ing a second signal for preventing access to the 
BIOS code; and (d) protection means responsive to 
the reset signal for permitting access to the BIOS 
code, the protection means being responsive to the 
second signal for setting a boundary at the third 
data block to prevent access to the BIOS code 
during normal execution of authorized programs by 
the system processor. 

Viewing the present invention from a fifth as- 
pect, there is now provided a method for protecting 
BIOS in a personal computer system, the system 
including a system processor, a read only memory, 
a random access memory, and direct storage ac- 
cess device, the method comprising the steps of: 

(a) storing a first portion of BIOS in the read 
only memory, the first portion of BIOS including 
means for initializing the system; 

(b) storing a master boot record and a remaining 
portion of BIOS in a protectable partition on the 
direct access storage device, the remaining por- 
tion of BIOS being resident in the random ac- 
cess memory during normal operations of the 
personal computer system; 

(c) initializing the system and initiating the gen- 
eration of a reset signal being sent to the direct 
access storage device; 

(d) removing the protection to the protectable 
partition to permit the system processor to ac- 
cess the master boot record and remaining por- 
tion of BIOS, the protection being removed in 
response to the reset signal; 

(e) loading the master boot record into random 
access memory, the master boot record includ- 
ing an executable code segment; 

(f) transferring control to the executable code 
segment to load the remaining portion of BIOS 
into the random access memory; and 

(g) transferring control to the remaining portion 
of BIOS in random access memory, the remain- 
ing portion of BIOS setting the protection on the 
protectable partition to prevent unauthorized ac- 
cess to the master boot record and the remain- 
ing portion of BIOS stored in the protectable 
partition on the direct access storage device. 

Preferably, the method further includes the 
step (h) of verifying the master boot record is 
compatible with the system by comparing data 
stored in the first BIOS portion with corresponding 
data stored in the master boot record. 



Furthermore, a preferred method of the present 
invention includes the step (i) of verifying the mas- 
ter boot record is compatible with the system pro- 
cessor by comparing data in the read only memory 
5 to corresponding data included in the master boot 
record. 

In a preferred example of the present invention 
to be described later, there is provided a computer 
system comprising a system processor, a random 

jo access memory, a read only memory, and at least 
one direct access storage device. A direct access 
storage device controller coupled between the sys- 
tem processor and direct access storage device 
includes a means for protecting a region of the 

15 storage device. The protected region of the storage 
device includes a master boot record and a BIOS 
image. In response to a reset signal, the protection 
means permits access to the protected region to 
allow the master boot record to be loaded into 

20 random access memory. In operation, the master 
boot record further loads the BIOS image into 
random access memory. BIOS, now in random 
access memory, is executed and generates a sec- 
ond signal which activates the protection means to 

25 prevent access to the region on the disk containing 
the master boot record and the BIOS image. BIOS 
then boots up the operating system to begin opera- 
tion of the system. 

In particular, the read only memory includes a 

30 first portion of BIOS. The first portion of BIOS 
initializes the system processor, the direct access 
storage device and resets the protection means to 
read the master boot record from the protected 
region or partition on the direct access storage 

35 device into the random access memory. The mas- 
ter boot record includes a data segment and an 
executable code segment. The data segment in- 
cludes data representing system hardware and a 
system configuration which is supported by the 

40 master boot record. The first BIOS portion confirms 
the master boot record is compatible with the sys- 
tem hardware by verifying the data from the data 
segment of the master boot record agrees with 
data included within the first BIOS portion repre- 
ss senting the system processor, system planar, and 
planar I/O configuration. 

If the master boot record is compatible with the 
system hardware, the first BIOS portion vectors the 
system processor to execute the executable code 

so segment of the master boot record. The executable 
code segment confirms that the system configura- 
tion has not changed and loads in the remaining 
BIOS portion from the direct access storage device 
into random access memory- The executable code 

55 segment then verifies the authenticity of the re- 
maining BIOS portion, vectors the system proces- 
sor to begin executing the BIOS now in random 
access memory. BIOS, executing in random ac- 
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cess memory, generates the second signal for pro- 
tecting the disk partition having the remaining BIOS 
and then boots up the operating system to begin 
operation of the personal computer system. The 
partition holding the remaining BIOS is protected to 
prevent access to the BIOS code on disk in order 
to protect the integrity of the BIOS code. 

A computer system of the present invention 
comprises apparatus for protecting disk loaded 
BIOS which is inexpensive to implement and sub- 
stantially transparent to the end user so that it does 
not detract from the commercial acceptance of the 
computer system. 

An embodiment of the present invention will 
now be described with reference to the accom- 
panying drawings in which: 

Rg. 1 illustrates a cut away view of a personal 
computer system showing a system planar 
board connected to a plurality of direct access 
storage devices; 

Rg. 2 shows a system block diagram for the 
personal computer system of Rg. 1 ; 
Rg. 3 is a memory map for the ROM BIOS 
included on the planar board; 
Rg. 4 is a flowchart describing the overall pro- 
cess for loading a BIOS image from a direct 
access storage device; 

Rg. 5 illustrates the record format for the master 
boot record; 

Rg. 6A is a flowchart describing the operation of 
the IBL routine; 

Rg. 6B is a flowchart showing the steps for 
loading a BIOS image from a fixed disk; 
Fig. 6C is a flowchart showing the steps for 
loading the BIOS image from a diskette; 
Rg. 6D is a flowchart showing greater detail in 
checking the compatibility between the master 
boot record and the planar/processor; 
Fig. 7 is a detailed flowchart showing the opera- 
tion of the executable code segment of the 
master boot record; 

Fig. 8 is a block diagram for the controller of the 
direct access storage device; 
Fig. 9 is a flow diagram showing the operation of 
a disk controller to protect the IBL media stored 
on a disk drive; and 

Rg. 10 is a flowchart showing a method for 
protecting the BIOS image. 

The following detailed description is of the best 
presently contemplated mode for carrying out the 
invention. This description is not to be taken in a 
limiting sense but is made merely for the purpose 
of illustrating the general principles of the invention 
since the scope of the invention is best defined by 
the appending claims. 

Referring now to the drawings, and in particular 
to Rg. 1, there is shown a cutaway version of a 
personal computer system 10. having a plurality of 



DASD (Direct Access Storage Devices) 12 - 16 
connected to a system or planar board 24 through 
a plurality of I/O slots 15. A power supply 22 
provides electrical power to the system 10 in a 

5 manner well known. The planar board 24 includes a 
system processor which operates under the control 
of computer instructions to input, process, and out- 
put information. 

In use. the personal computer system 10 is 

w designed primarily to give independent computing 
power to a small group of users or a single user 
and is inexpensively priced for purchase by in- 
dividuals or small businesses. In operation, the 
system processor operates under an operating sys- 

15 tern, such as IBM's OS/2 Operating System or PC- 
DOS. This type of operating system includes a 
BIOS interface between the DASD 12 - 16 and the 
Operating System. A portion of BIOS divided into 
modules by function is stored in ROM on the 

20 planar 24 and hereinafter will be referred to as 
ROM-BIOS. BIOS provides an interface between 
the hardware and the operating system software to 
enable a programmer or user to program their 
machines without an indepth operating knowledge 

25 of a particular device. For example, a BIOS diskette 
module permits a programmer to program the dis- 
kette drive without an indepth knowledge of the 
diskette drive hardware. Thus, a number of diskette 
drives designed and manufactured by different 

30 companies can be used in the system. This not 
only lowers the cost of the system 10, but permits 
a user to choose from a number of diskette drives. 

Prior to relating the above structure to the 
present invention, a summary of the operation in 

35 general of the personal computer system 10 may 
merit review. Referring to Rg. 2, there is shown a 
block diagram of the personal computer system 10. 
Fig. 2 illustrates components of the planar 24 and 
the connection of the planar 24 to the I/O slots 18 

40 and other hardware of the personal computer sys- 
tem. Located on the planar 24 is the system pro- 
cessor 26 comprised of a microprocessor which is 
connected by a local bus *28 to a memory control- 
ler 30 which is further connected to a random 

45 access memory (RAM) 32. While any appropriate 
microprocessor can be used, one suitable micro- 
processor is the 80386 which is sold by Intel. 

While the present invention is described 
hereinafter with particular reference to the system 

so block diagram of Fig. 2, it is to be understood at 
the outset of the description which follows, it is 
contemplated that the apparatus and methods in 
accordance with the present invention may be used 
with other hardware configurations of the planar 

55 board. For example, the system processor could 
be an Intel 80286 or 80486 microprocessor. 

Accessible by the processor is a planar iden- 
tification number (planar ID). The planar ID is un- 
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igue to the planar and identifies the type of planar 
being used. For example, the planar ID can be 
hardwired to be read through an I/O port of the 
system processor 26 or by using switches. Addi- 
tionally, another I/O port of the system processor 
26 can be used to generate a reset signal using 
planar logic circuitry to the disk controller. For 
instance, the reset signal can be initiated by soft- 
ware addressing the I/O port and activating planar 
logic to generate the reset signal. 

The local bus 28 is further connected through a 
bus controller 34 to a read only memory (ROM) 36 
on the planar 24. 

An additional nonvolatile memory (NVRAM) 58 
is connected to the microprocessor 26 through a 
serial/parallel port interface 40 which is further con- 
nected to bus controller 34. The nonvolatile mem- 
ory can be CMOS with battery backup to retain 
information whenever power is removed from the 
system. Since the ROM is normally resident on the 
planar, model and submodel values stored in ROM 
are used to identify the system processor and the 
system planar I/O configuration respectively. Thus 
these values will physically identify the processor 
and planar I/O configuration. The NVRAM is used 
to store system configuration data. That is, the 
NVRAM will contain values which describe the 
present configuration of the system. For example, 
NVRAM contains information describing the capac- 
ity of a fixed disk or diskette, the type of display, 
the amount of memory, time, date, etc. Addition- 
ally, the model and submodel values stored in 
ROM are copied to NVRAM whenever a special 
configuration program, such as SET Configuration, 
is executed. The purpose of the SET Configuration 
program is to store values characterizing the con- 
figuration of the system in NVRAM. Thus for a 
system that is configured properly, the model and 
submodel values in will be equal respectively to 
the model and submodel values stored in ROM. If 
these values are not egual, this indicates that the 
configuration of the system has been modified. 
Reference is made to Fig. 6D, where this feature in 
combination with loading BIOS is explained in 
greater detail. 

Continuing, our discussion with reference to 
Fig. 2, the bus controller 34 is further coupled to 
I/O slots 18. the serial/parallel interface 40 and 
peripheral controller 42 by an I/O planar bus 43. 
The peripheral controller 42 is further connected to 
a keyboard 44, mouse 46, diagnostic panel 47, and 
diskette controller 64. Beside ,the 58, the 
serial/parallel interface 40 is further connected to a 
serial port 48 and parallel port 50 to input/output 
information to a printer, hard copy device, etc. As 
is well known in the art, the local bus 28 can also 
be connected to a cache controller 52, a cache 
memory 68. a co-processor 54, and a DMA control- 



ler 56. 

The system processor 26 controls its internal 
operation as well as interfacing with other elements 
of the personal computer system 10. For example, 

5 system processor 26 is shown connected to a 
small computer system interface (SCSI) I/O card 60 
which is further connected to a DASD, such as a 
fixed disk drive 62. It is to be understood that other 
than a SCSI disk drive can be used as a fixed disk 

io in accordance with the present invention. In addi- 
tion to the fixed disk 62, the system processor 26 
can be interfaced to the diskette controller 64 
which controls a diskette drive 66. With respect to 
terminology, it is also to be understood that the 

is term "hardfile" describes fixed disk drive 62 while 
the term "floppy" also describes diskette drive 66. 

Previous to the present invention, ROM 36 
could include alt of the BIOS code which interfaced 
the operating system to the hardware peripherals. 

20 According to one aspect of the present invention, 
however, ROM 36 is adapted to store only a por- 
tion of BIOS. This portion, when executed by the 
system processor 26, inputs from either the fixed 
disk 62 or diskette 66 a second or remaining por- 

25 tion of BIOS, hereinafter also referred to as a BIOS 
image. This BIOS image supersedes the first BIOS 
portion and being an integral part of the system is 
resident in main memory such as RAM 32. The 
first portion of BIOS (ROM-BIOS) as stored in ROM 

30 36 will be explained generally with respect to Figs. 
3-4 and in detail with respect to Figs. 6A-D. The 
second portion of BIOS (BIOS image) will be ex- 
plained with respect to Fig. 5, and the loading of 
the BIOS image with respect to Fig. 7. Another 

35 benefit from loading a BIOS image from a DASD is 
the ability to load BIOS directly into the system 
processor's RAM 32. Since accessing RAM is 
much faster than accessing ROM, a significant 
improvement in the processing speed of the com- 

40 puter system is achieved. 

The explanation will now proceed to the opera- 
tion of the BIOS in ROM 36 and to the operation of 
loading the BIOS image from either the fixed disk 
or diskette. In general, a first program such as 

45 ROM-BIOS prechecks the system and loads a 
BIOS master boot record into RAM. The master 
boot record includes a data segment having valida- 
tion information and, being a loading means, a 
code segment having executable code. The ex- 

so ecutable code uses the data information to validate 
hardware compatibility and system configuration. 
After testing for hardware compatibility and proper 
system configuration, the executable code loads 
the BIOS image into RAM producing a main mem- 

55 ory resident program. The BIOS image succeeds 
ROM-BIOS and loads the operating system to be- 
gin operation of the machine. For purposes of 
clarity, the executable code segment of the master 
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boot record will be referred to as MBR code while 
the data segment will be referred to as MBR data. 

Referring to Fig. 3 there is a memory map 
showing the different code modules which com- 
prise ROM-BIOS. ROM-BIOS includes a power on 
self test (POST) stage I module 70, an Initial BIOS 
Load (IBL) Routine module 72, a Diskette module 
74, a hardfile module 76, a video module 78, a 
diagnostic-panel module 80, and hardware com- 
patibility data 82. Briefly, POST Stage I 70 per- 
forms system pre-initialization and tests. The IBL 
routine 72 determines whether the BIOS image is 
to be loaded from disk or diskette, checks compati- 
bility and loads the master boot record. Diskette 
module 74 provides input/output functions for a 
diskette drive. Hardfile module 76 controls I/O to a 
fixed disk or the like. Video module 78 controls 
output functions to a video I/O controller which is 
further connected to a video display. Diagnostic 
panel module 80 provides control to a diagnostic 
display device for the system. The hardware com- 
patibility data 82 includes such values as a system 
model and submodel values which are described 
later with respect to Fig. 5. 

Referring now to Fig. 4, there is shown a 
process overview for loading a BIOS image into the 
system from either the fixed disk or the diskette. 
When the system is powered up. the system pro- 
cessor is vectored to the entry point of POST 
Stage I, step 100. POST Stage I initializes the 
system and tests only those system functions 
needed to load BIOS image from the selected 
DASD, step 102. In particular, POST Stage I initial- 
izes the processor/planar functions, diagnostic pan- 
el, memory subsystem, interrupt controllers, timers, 
DMA subsystem, fixed disk BIOS routine (Hardfile 
module 76), and diskette BIOS routine (Diskette 
module 74), if necessary. 

After POST Stage I pre-initializes the system. 
POST Stage I vectors the system processor to the 
Initial BIOS Load (IBL) routine included in the Initial 
BIOS Load module 72. The IBL routine first, deter- 
mines whether the BIOS image is stored on fixed 
disk or can be loaded from diskette; and second, 
loads the master boot record from the selected 
media (either disk or diskette) into RAM, step 104. 
The master boot record includes the MBR data and 
the MBR code. The MBR data is used for verifica- 
tion purposes and the MBR code is executed to 
load in the BIOS image. A detailed description of 
the operation of the IBL routine is presented with 
respect to Rgs. 6A-D. 

With continuing reference to Fig. 4, after the 
IBL routine loads the master boot record into RAM, 
the system processor is vectored to the starting 
address of the MBR code to begin execution step 
106. The MBR code performs a series of validity 
tests to determine the authenticity of the BIOS 



image and to verify the configuration of the system. 
For a better understanding of the operation of the 
MBR code, attention is directed to Fig. 7 of the 
drawings wherein the MBR code is described in 
5 greater detail. 

On the basis of these validity tests, the MBR 
code loads the BIOS image into RAM and transfers 
control to the newly loaded BIOS image in main 
memory, step 108. In particular, the BIOS image is 

io loaded into the address space previously occupied 
by ROM-BIOS. That is if ROM-BIOS is addressed 
from E0000H through FFFFFH, then the BIOS im- 
age is loaded into this RAM address space thus 
superseding ROM-BIOS. Control is then transferred 

is to POST Stage II which is included in the newly 
loaded BIOS image thus abandoning ROM-BIOS. 
POST Stage II, now in RAM, initializes and tests 
the remaining system in order to load the operating 
system boot, steps 110-114. 

20 Before Stage II POST transfers control to the 

operating system, Stage II POST sets a protection 
means for preventing access to the disk partition 
holding the BIOS image. Reference is made to 
Rgs. 8-10 for a detailed discussion of this protec- 
ts tion process. It is noted that during a warm start, 
the processor is vectored to step 108, bypassing 
steps 100-106. 

For clarity, it is appropriate at this point to 
illustrate a representation for the format of the 

30 master boot record. Referring to Rg. 5, there is 
shown the master boot record. The boot record 
includes the executable code segment 120 and 
data segments 122-138. The MBR code 120 in- 
cludes DASD dependent code responsible for veri- 

35 tying the identity of the ROM-BIOS, checking that 
the IBL boot record is compatible with the system, 
verifying the system configuration, and loading the 
BIOS image from the sefected DASD (disk or dis- 
kette). The data segments 122-138 include infor- 

4o mation used to define the media, identify and verify 
the master boot record, locate the BIOS image, 
and load the BIOS image. 

The master boot record is identified by a boot 
record signature 122. The boot record signature 

45 122 can be a unigue bit pattern, such as a char- 
acter string "ABC", in the first three bytes of the 
record. The integrity of the master boot record is 
tested by a checksum value 132 which is com- 
pared to a computed checksum value when the 

so boot record is loaded. The data segments further 
include at least one compatible planar ID value 
134, compatible model and submodel values 136. 
The master boot record's planar ID value defines 
which planar that the master boot record is valid 

55 for. Similarly, the master boot record's model and 
submodel values define the processor and planar 
I/O configuration respectively that the master boot 
record is valid for. It is noted that the boot record's 
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signature and checksum identify a valid master 
boot record, while the boot record's planar ID, boot 
record's model and boot record's submodel com- 
parisons are used to identify a boot record com- 
patible with the system and to determine if the 
system configuration is valid. Another value, boot 
record pattern 124 is used to determine the validity 
of the ROM-BIOS. The boot record pattern 124 is 
compared to a corresponding pattern value stored 
in ROM. If the values match this indicates that a 
valid ROM-BIOS has initiated the load of a BIOS 
image from the selected media. 

The following description further describes in 
greater detail each of the values in the master boot 
record and their functions: 

The first three bytes of the IBL boot record can 
consist of characters, such as "ABC". This signa- 
ture is used to identify a boot record. 



Segment (120): + 

This code verifies the compatibility of the boot 
record with the planar and processor by comparing 
corresponding planar id and model/submodel val- 
ues. If these values match, it will load the BIOS 
image from the chosen media to system RAM. If 
the system image (BIOS image loaded into mem- 
ory) checksum is valid and no media load errors 
occur, the MBR code will transfer control to the 
POST Stage II routine of the system image. 



MBR Pattern (124): + 

The first field of the IBL boot record data 
segment contains a pattern, such as a character 
string "ROM-BIOS 1959". This string is used to 
validate the ROM-BIOS by comparing the Boot 
Pattern value to the corresponding value stored in 
ROM (ROM-Pattern). 



MBR Version Date (126): + 

The master boot record includes a version date 
for use by an update utility. 

System Partition Pointer (128): + 

The data segment contains a media pointer to 
the beginning of the media system partition area 
for use by Stage II POST. On an IBL diskette, the 
pointer is in track-head-sector format; on disk the 
pointer is in Relative Block Address (RBA) format. 



System Partition Type (1 30): + 

The system partition type indicates the struc- 
ture of the media system partition. There are three 
5 types of system partition structures - full, minimal 
and not present. The full system partition contains 
the setup utility and diagnostics in addition to the 
BIOS image and master boot record. The minimal 
system partition contains just the BIOS image and 
70 master boot record. It may occur where a system 
does not have access to a hardfile having an IBL 
image, in this circumstance the system partition 
type indicates not present In this instance, IBL will 
occur from the diskette. These three system parti- 
es Uon types allow flexibility in how much space the 
system partition takes up on the media. 

Checksum value (1 32): + 

20 

The checksum value of the data segment is 
initialized to generate a valid checksum for the 
record length value (1 .5k bytes) of the master boot 
record code. 

25 

MBR Planar ID Value (134): + 

The data segment includes a value, such as a 
30 string of words defining compatible planar IDs. 
Each word is made up of a 16 bit planar ID and the 
string is terminated by word value of zero. If a 
system's planar ID matches the planar ID value in 
the master boot record, such as one of the words 
35 in the string, the IBL media image is compatible 
with the system planar. If the system's planar ID 
does not match any word in the string, the IBL 
media image is not compatible with the system 
planar. 

40 

MBR model and submodel values (136): + 

The data segment includes values, such as a 
45 string of words defining compatible processors. 
Each word is made up of a model and submodel 
value and the string is terminated by a word value 
of zero. If a system's model and submodel value 
(stored in ROM) match one of the words in the 
so string, the IBL media image is compatible with the 
system processor. If the ROM model and ROM 
submodel values do not match any word in the 
string, the IBL media image is not compatible with 
the system processor. 

55 

MBR Map length (138): + 
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The IBL map length is initialized to the number 
of media image blocks. In other words, if the BIOS 
image is broken into four blocks, the map length 
will be four indicating four block pointer/length 
fields. Usually this length is set to one, since the 
media image is one contiguous 128k block. 



MBR Media Sector Size (138): + 

This word value is initialized to the media sec- 
tor size in bytes per sector. 



Media image block pointer (138): + 

The media image block pointer locates a sys- 
tem image block on the media. Normally, there is 
only one pointer since the media image is stored 
as one contiguous block. On an IBL diskette, the 
pointers are in track-head-sector format; on disk 
the pointers are relative block address format. 



Media image block length (138): + 

The media image block length indicates the 
size (in sectors) of the block located at the cor- 
responding image block pointer. In the case of a 
128k contiguous media image, which includes 
space for BASIC, this field is set to 256, indicating 
that the BIOS image block takes up 256 sectors 
(512 bytes/sector) starting at the media image 
block pointer location. 

Referring now to Figs. 6A-D, there is shown a 
detailed flow chart of the operation of the IBL 
routine. Under normal circumstances, the IBL rou- 
tine loads the master boot record from the system 
fixed disk into RAM at a specific address and then 
vectors the system processor to begin executing 
the code segment of the master boot record. The 
IBL routine also contains provisions for a diskette 
default mode in which the master boot record can 
be loaded from diskette. However, the IBL routine 
does not allow the diskette default mode to be 
performed if the system contains the IBL media on 
the system fixed disk and a valid password is 
present in NVRAM. The user has the option of 
setting the password in NVRAM. The purpose of 
preventing the diskette default mode from being 
effected is to prevent loading an unauthorized 
BIOS image from diskette. In other words, the 
diskette default mode is used only when a system 
fixed disk is not operational and the user has 
indicated (by not setting the password) the desir 
to be able to load from the diskette. If the IBL 
routine is not able to load the master boot record 
from either media, an error message is generated 



and the system is halted. 

Referring now to Fig. 6A, under normal cir- 
cumstances the system will contain a system fixed 
disk which the IBL routine initializes, step 150. 
s Assume for purposes of illustration that the fixed 
disk is configured for Drive C of the personal 
computer system. Similarly, assume Drive A is 
designated as the diskette drive. The IBL routine 
then examines Drive C to determine whether it 

ro contains IBL media, step 152. Attention is directed 
to Fig. 6B which describes in detail this process. 
The IBL routine starts reading from the fixed disk at 
the last three sectors and continues reading, de- 
crementing the media pointer, for 99 sectors or 

is until a valid master boot record is found. If a 
master boot record is found, it is checked for 
system Planar and processor compatibility, step 
156. If it is not planar or processor compatible, 
then an error is reported, step 158. Referring back 

20 to step 152, if no master boot record is found on 
the last 99 sectors of the fixed disk (primary hard- 
file), an error is reported, step 154. 

Referring back to step 156. if a master boot 
record is found, a series of validity checks are 

25 performed to determine if the master boot record is 
compatible with the computer system. Additionally, 
the configuration of the system is checked. Atten- 
tion is directed to Fig. 6D which discloses this 
process in greater detail. If the boot record Is 

30 compatible with the planar ID. model and sub- 
model, and if furthermore the system configuration 
has not changed the master boot record is loaded 
and the code segment of the master boot record is 
executed, step 160. 

35 Referring back to steps 154 and 158, if an error 

occurs in loading the master boot record from the 
fixed disk or if a fixed disk is not available, the IBL 
routine determines if a valid password is included 
in NVRAM, step 162. This password determines 

40 whether the BIOS image can be loaded from dis- 
kette. Note that the password will exist only upon 
being installed by the user running a set features 
utility. If a password is installed in NVRAM, the 
BIOS image is prevented from being loaded from 

45 diskette, step 164. This permits the user to ensure 
the integrity of the operation of the system by 
causing the system to be Joaded only with the 
BIOS image on the fixed disk. The password can 
take the form of a string of characters stored in 

so NVRAM. 

Referring back to step 162 if a valid password 
in NVRAM is not present, thus allowing BIOS im- 
age to be loaded from diskette, the IBL routine 
initializes the diskette subsystem, step 166 The IBL 

55 routine then determines if Drive A includes the IBL 
media on a diskette, step 168. If Drive A does not 
include IBL media, an error is generated to notify 
the user that an invalid diskette has been inserted 
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in the drive, step 170. The system then halts, step 
172. Attention is directed to Fig. 6C for a more 
detailed discussion of step 168. 

Referring back to step 168, after Drive A is 
checked for IBL media, the master boot record is 
loaded into RAM and the code segment included in 
the master boot record is executed, step 160. It is 
important to note that for diskette the IBL routine 
does not include the validity checks that are used 
with the fixed disk system. The reason for the 
absence of the validity checks is for loading a non- 
compatible IBL image from diskette. For example, 
if a new processor is added to the system, a new 
BIOS image will be included on a diskette. Since a 
new processor will cause validity errors when load- 
ing from fixed disk, the IBL routine provides the 
ability to bypass these tests by loading the BIOS 
image from diskette. 

To recapitulate, the master boot record is 
checked for compatibility with the system through 
matching the system planar ID and processor 
model/submodel values to the boot record values. 
For disk, this check is done first in the IBL routine 
72 and then done again in the IBL boot record. The 
first check (in the IBL routine) is done to make sure 
the boot record is compatible with the system; the 
second check (in the boot record) is done to en- 
sure a compatible ROM passed control to the boot 
record. Notice that the check done in the disk boot 
record will never fail for a compatible ROM since 
the IBL routine will have already checked the com- 
patibility. In contrast, the first compatibility check is 
not done for diskette. The planar/processor com- 
patibility is checked only during diskette boot 
record execution. This method allows future modi- 
fications in loading a new BIOS image from a 
reference diskette. 

In view of the description of the IBL routine of 
Fig. 6 A, the explanation will now proceed to a 
comprehensive and full understanding of the valid- 
ity tests discussed above. Referring to Fig. 6B, 
there is shown a detailed flowchart of step 152 of 
Fig. 6 A, to determine if a valid master boot record 
is on drive C. The process begins by obtaining the 
drive parameters to enable the IBL routine to ac- 
cess drive C, step 200. An IBL load location is set 
to the last three sectors from the disk (the last 
three sectors normally contain the master boot 
record), step 202. A load count indicating the num- 
ber of attempts to read a master boot record from 
disk is set to 1, step 204. Three sectors are read 
from disk at the IBL load location, step 206. Any 
disk drive errors are detected and if a disk drive 
read error occurs it is reported, steps 208-210. The 
process then returns with an error indication, steps 
212-214. 

Referring back to step 208, if no drive error 
occurs, the disk record is scanned for the master 



boot record signature, step 216. The boot record 
signature, such as the characters "ABC 1 , are com- 
pared to the first three bytes of the disk record. If 
the disk record does have a valid boot record 

s signature (characters "ABC") and the checksum 
computed from the disk record loaded into memory 
equals the boot record checksum, the disk record 
is indicated as being a valid boot record with no 
errors, step 218. The process then returns, step 

10 214. Referring back to step 216. if the boot record 
signature or checksum is invalid, the load count is 
incremented by 1 t step 220. The load count is then 
compared to a predetermined constant such as 99. 
step 222. If 99 attempts to read a boot record have 

75 resulted in failure, an error is indicated and the 
process returns, steps 224. 212 and 214. If less 
than 99 attempts to read a boot record have oc- 
curred, the IBL load location is decremented by 
one and three new sectors are read from the new 

20 load location, steps 226 and 206. Thus if a valid 
IBL boot record cannot be loaded from the last 99 
sectors (equivalent to 33 copies) then an error 
condition is set and control returns to the IBL 
routine. 

25 Referring now to Fig. 6C. there is shown a 

detailed flow diagram for loading the master boot 
record from diskette on drive A. First, the diskette 
drive parameters to access drive A are retrieved, 
step 230. The IBL load location is set to the last 3 

30 sectors on diskette (cylinder, head and sector for- 
mat), step 232. The last 3 sectors are read, step 
234. if a diskette drive error is detected an error is 
indicated, steps 236-238. An error condition is set 
and control is returned to the IBL routine, steps 

35 240-242. 

Referring back to step 236, if no drive error is 
detected, the diskette record is checked for boot 
record signature and the checksum is calculated, 
step 244. If the boot record signature is missing or 

40 checksum is invalid, an error is indicated and con- 
trol returned to the IBL routine, steps 244. 246. 240 
and 242. If a valid boot record signature and valid 
checksum are detected an indication is set and 
control is returned to the IBL routine, steps 248 and 

45 242. It is noted that in a diskette load, the IBL 
routine does not search through the media as in 
the fixed disk load. 

Therefore, in a diskette load, the IBL media 
must be stored in a specific location of the dis- 

50 kette. 

Finally, Fig. 6D shows how the IBL routines 
tests for system planar and processor compatibility 
and for a proper system configuration. The master 
boot record is checked for compatibility with the 
55 system planar by comparing the boot record planar 
ID value to the system planar ID read by the 
system processor, step 260. If the system planar 
ID does not match the boot record planar ID value, 
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this indicates this master boot record is not com- 
patible with this planar. An error is indicated and 
control return to the !BL routine, steps 262, 264, 
and 266. 

If the master boot record is compatible with 
she planar, the master boot record is checked for 
compatibility with the processor, step 268. The 
boot record model value and submodel value are 
compared to the model value and submodel value 
stored in ROM respectively. A mismatch indicates 
a new processor has probably been inserted and 
this boot record is not compatible with the new 
processor. An error is indicated and control re- 
turned to the IBL routine, steps 270, 264 and 266. 
If the master boot record is compatible with the 
planar and processor, the process checks to deter- 
mine if NVRAM is reliable, step 272. If is un- 
reliable, an error is indicated and control returned 
to the IBL routine, steps 274 and 266. If NVRAM is 
reliable, the system configuration is checked, step 
276. A change in system configuration is indicated 
if the model and submodel values stored in 
NVRAM do not match the model and submodel 
values stored in ROM. Note that this last compari- 
son will only indicate a configuration error. If a 
configuration error is indicated, an error is gen- 
erated for the user. This error notifies the user that 
the configuration of the system has changed since 
the last time SET Configuration was run. The user 
is notified of the changed configuration and control 
passed back to the IBL routine steps 278, 264, and 
266. This error is not fatal itself, but notifies the 
user that SET Configuration (configuration program) 
must be executed. Referring back to step 276, if 
the system model/submodel values match, an in- 
dication of comparability is set and the routine 
returns, steps 276, 274 and 266. Thus, the com- 
patibility between the master boot record and the 
system are tested along with determining if the 
system configuration has been modified. 

After the IBL routine loads the master boot 
record into RAM, it transfers control to the MBR 
code starting address. Referring to Fig. 7, the ex- 
ecutable code segment of the master boot record 
first verifies the boot record pattern to the ROM 
pattern, step 300. If the pattern in the master boot 
record does not match the pattern in ROM, an error 
is generated and the system halts, steps 302 and 
305. The check for equality between ROM and 
boot record patterns ensures that the master boot 
record loaded from either the disk or diskette is 
compatible with the ROM on the planar board. 
Referring back to step 300. if the. pattern in ROM 
matches the pattern in the boot record, the MBR 
code compares the system planar ID value, model 
and submodel value against the corresponding 
master boot record values, step 304. This process 
was discussed in greater detail with respect to Fig. 



6D. If the values don't match, the master boot 
record is not compatible with the system planar 
and processor, or the system configuration has 
changed, and an error is generated, step 306. The 
5 system will halt when the IBL record is incompati- 
ble with planar, model or submodel values, step 
305. 

Referring back to step 304, if the system 
planar ID value, model and submodel values match 

10 the corresponding master boot record values, the 
MBR code loads the BIOS image from the selected 
media into the system RAM, step 308. If a media 
load error occurs in reading the data, step 310, an 
error is generated and the system halts, steps 312 

rs and 305. Referring back to step 310, if no media 
load error occurs, a checksum is calculated for the 
BIOS image in memory, step 314. If the checksum 
is invalid an error is generated and the system 
halts, steps 318 and 305. Referring back to step 

20 316. if the checksum is valid, the system partition 
pointers are saved, step 320, and the system pro- 
cessor is vectored to POST Stage II to begin 
loading the system, step 322. 

Referring to Fig. 8, there is shown a block 

25 diagram of an intelligent disk controller 350 for 
controlling movement of data between the disk 
drive 351 and the system processor. It is under- 
stood that disk controller 350 can be incorporated 
into the adapter card 60 while disk drive 351 can 

30 be included onto drive 62 of Fig. 2. A suitable disk 
controller 350 is a SCSI Adapter having a part 
number of 33F8740, which is manufactured by 
International Business Machines Corporation. It is 
understood that the disk controller 350 includes a 

35 microprocessor 352 operating under its own inter- 
nal clock, for controlling its internal operations as 
well as its interfacing with the other elements of the 
disk subsystem and the system processor. The 
microprocessor 352 is coupled by a instruction bus 

40 354 to a read only memory (ROM) 356 which 
stores instructions which the disk controller 350 
executes to process and control the movement of 
data between the disk drive and the system pro- 
cessor. It is also understood that disk controller 350 

45 can include random access memory coupled to 
microprocessor 352 for the storage or retrieval of 
data. The movement of data between disk control- 
ler 350 and the system processor is effected by 
data bus 358 and instruction bus 360. 

so A reset signal on line 362 resets or initializes 

the disk controller logic upon power-on sequence 
or during a system reset. The reset signal is gen- 
erated by the planar board logic, and can take the 
form of a channel reset signal as provided by 

55 IBM's MICROCHANNEL architecture as described 
in "IBM PERSONAL SYSTEM/2 Seminar Proceed- 
ings", Volume 5, Number 3, May 1987 as pub- 
lished by the International Business Machines Cor- 
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poration Entry Systems Division. Furthermore, the 
reset signal can be effectively initiated by BIOS 
outputting a particular bit configuration to an I/O 
port of the system processor in which the planar 
logic is connected. 5 

As is well known, the microprocessor 352 pro- 
vides all the interfacing and timing signals to effect 
the efficient transfer of data between the disk drive 
and the system processor. For clarity, only those 
signals important for the understanding of the in- 10 
vention are presented. It is understood that other 
signals and lines, such as data bus 364, are used 
but are not presented here since they are not 
important for the understanding of the present in- 
vention. It is further understood that only those 75 
programs or routines as stored in ROM 356 impor- 
tant for the understanding of the present invention 
are explained with respect to Fig. 9. 

Referring now to Fig. 9 f there is shown a 
flowchart diagramming the read, write, and protect 20 
functions of the disk controller which are effected 
by the operation of routines stored in ROM 356. In 
operation, a disk instruction is initiated by the sys- 
tem processor and transferred to the disk controller 
350. The disk controller receives and interprets the 25 
instruction to perform the designated operation, 
step 400. 

The disk controller first determines if this is a 
write operation in which data from the system 
processor are stored on the disk drive hardware, 30 
step 402. If the instruction is a write instruction, 
data are received from the system processor in 
relative block address (RBA) format. 

Prior to continuing the discussion above, a 
brief explanation of the relative block address for- 35 
mat applied to a mass storage device, such as a 
disk, may merit review. RBA is a scheme in which 
data in mass storage are addressed in predeter- 
mined sized blocks by sequential numbers, i.e. 
individual definable contiguous blocks of data. For 40 
example, assuming a block size of 1024 bytes, the 
system processor can approximately address 
10,000 blocks for a 10 megabyte disk. That is, the 
system processor can address the disk media in 
terms of N blocks where N ranges from 0 to 9.999. 45 
It has been discovered, that the use of RBA pro- 
vides a very fast and efficient method for address- 
ing mass storage in the type of operating systems 
used for personal computer systems of the present 
invention. so 

For convenience sake, the following assump- 
tions will be introduced: first, the disk can support a 
total of N blocks; second, the system processor 
transfers a K block, where K is greater than or 
equal to 0 and is less than or egual to (N-1); third, -55 
the disk controller can set a maximum addressable 
block which permits access to data blocks where K 
is less than M and denies access to data blocks 



where K is greater than or equal to N. Note, by 
setting M less than M a protectable region on the 
disk is generated from M to N-1 blocks. This fea- 
ture permits the IBL media to be protected as will 
be discussed below. 

Continuing our discussion with reference to 
Fig. 9, the data are received from the disk in RBA 
format, step 404. The disk controller then deter- 
mines if the received block K is less than the 
maximum block value M, where M is less than N, 
step 406. If K is less than M then the disk control- 
ler converts the RBA format into the particular 
format for the mass storage device, such as 
cylinder-head-sector (CHS) format for a fixed disk, 
step 408. For instance, the disk controller by using 
a look up table could convert RBA addresses to 
unigue cyiinder-head-sector location. Another 
method is the use of a conversion formula to 
convert RBA to CHS. For example, for a disk 
having one head, 64 cylinders, and 96 sectors: 
Head = 0, cylinders = quotient of RBA/(96), and 
sectors = remainder of RBA/{96). After converting 
the RBA format to a CHS format the data are 
written to disk at the converted CHS location, step 
410. The disk controller then waits for another 
instruction from the system processor, step 412. 

Referring back to step 406, if the received RBA 
is greater than the maximum set RBA value, ac- 
cess is denied, step 414. That is if K is greater 
than or equal to M, the K block is not written to the 
disk. Please note, if the IBL media is stored in the 
blocks from M to N-1 , then the IBL media will be 
protected from writing. 

Referring back to step 402, if the instruction 
from the system processor is not a write instruc- 
tion, it is tested for being a read instruction, step 
416. If the instruction is a read instruction, the 
system processor sends the RBA format for the 
data requested, step 418. The disk controller then 
determines if the desired RBA (K) is less than the 
maximum set RBA (M). If the desired RBA (K) is 
less than the maximum set RBA (M), then the disk 
controller converts the RBA to the appropriate CHS 
format and reads the data from the disk, steps 422 
and 424. The data are then transferred to the 
system processor, step 412. 

Referring back to step 420, if the received RBA 
(K) is greater than or equal to the maximum set 
RBA (M), access is denied, step 426. If the IBL 
media is stored between M blocks and (N-1) 
blocks, access is denied to this area. Please note, 
that in this circumstance, the IBL media is also 
protected from copying. 

Referring back to step 416, if the instruction is 
not a write or read instruction , it is tested for a set 
maximum RBA instruction, step 428. This instruc- 
tion allows the disk controller to create a protec- 
table area or partition on the disk drive hardware. 
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This instruction allows the disk controller to set M 
between 0 and N blocks, step 430. It is important 
to note that when the disk controller is reset 
(through the reset signal) that M is set so that the 
maximum number of blocks are available. That is, 5 
when the disk controller is reset. M = N. Essentially, 
protection for the protectable area is eliminated 
upon resetting the disk controller, allowing access 
to the area. However, once the set maximum RBA 
instruction is executed only a reset or another set 10 
maximum RBA instruction will allow access to the 
protectable area. Conceptually, the setting of the 
maximum RBA can be thought of as setting a 
fence which protects access to the area above the 
fence while allowing access to the area below the 75 
fence. The disk controller then returns to wait for 
another instruction, step 412. 

Referring back to step 428, if the instruction is 
not a read, write, or set maximum RBA instruction, 
it is tested for another disk controller instruction 20 
and executed, step 432. These instructions will use 
the set maximum RBA value but are not important 
for the understanding of the present invention and 
are not presented here for brevity purposes. The 
disk controller then returns to wait for another in- 25 
struction, step 412. 

The explanation will now proceed to the opera- 
tion of the loading in and protecting the IBL media 
in view of the proceeding discussion. In general, 
from either a cold start (power-on) or a warm start 30 
(alt-ctrl-del), the disk controller having the IBL me- 
dia is reset. This causes the maximum RBA (M) to 
be set to N, i.e. the fence is removed allowing 
access to the IBL media. This is required to allow 
the system to load the IBL media to begin opera- 35 
tion. Once the IBL media is loaded and executed 
the fence is erected (set maximum RBA below IBL 
media) to prevent access to the IBL media stored 
on disk. 

Referring now to Fig. 10, there is shown a 40 
block flow diagram effecting the protection of the 
IBL media. From a power-on condition the system 
is initialized and BIOS initiates activity in planar 
board logic to send a reset condition to the disk 
controller, steps 450 and 452. The reset signal 45 
drops the fence and allows the system processor 
to access the IBL media previously stored on the 
disk in the area from M blocks to N blocks. The 
system loads the IBL media as previously de- 
scribed with reference to Fig. 4-7, step 454. During so 
the IBL loading sequence Post Stage II is ex- 
ecuted, step 456. One of the tasks of POST Stage 
II is to execute the set maximum RBA instruction 
with the maximum RBA set to the first block of the 
IBL media which is designated as M, step 458. -M 55 
is dependent upon partition type (none, partial or 
full) as previously explained. This in effect sets the 
fence denying access to the IBL media while allow- 



ing access to other regions of the disk. The operat- 
ing system is then booted up in a normal fashion, 
step 460. 

If the system is started from a warm start 
condition, such as alt-ctrl-del, the planar logic is 
commanded to reset the disk controller by POST 
Stage II, steps 462 and 464. This causes the fence 
to be dropped. In this circumstance, since the IBL 
media is already present In RAM, the IBL media is 
not loaded again. However, since the protection for 
the IBL media is eliminated POST Stage II must be 
executed to reset the fence, steps 456 and 458. 
The fence is erected protecting the IBL media and 
the system is then rebooted in a normal manner, 
step 460. 

Thus, there has been shown a method and 
apparatus for protecting access to the IBL media 
stored on a mass storage device , such as a disk 
drive. The IBL media is protected by addressing 
mass storage in blocks and setting a maximum 
block the system can access during normal opera- 
tion. The IBL media is stored consecutively in 
those blocks between the maximum block acces- 
sible and the total number of blocks supported by 
the disk drive. A reset signal sent to the disk 
controller eliminates the maximum block accessible 
to permit the system to address the IBL media. 
The reset signal is generated during a power-on 
condition or a warm-start condition to permit ac- 
cess to the IBL media to boot up the system. 

While the invention has been illustrated in con- 
nection with a preferred embodiment, it should be 
understood that many variations will occur to those 
of ordinary skill in the art, and that the scope of the 
invention is defined only by the claims appended 
hereto and equivalent. 



Claims 

1. A computer system (10) comprising: a system 
processor (26); a read only memory (36); a random 
access main memory (32); and at least one direct 
access storage device (62) capable of storing a 
plurality of data records; 

characterised in that the system (10) further com- 
prises: 

initialising means included in the read only memory 
(36) for initialising the system processor (26) and 
for generating a reset signal to the direct access 
storage device (62) to permit access to the data 
records; 

loading means for loading data records from the 
direct access storage device (62) into main mem- 
ory (32), the loading means being stored in a 
protectable partition of the direct access storage 
device (62), the loading means being read from the 
direct access storage device (62) into main mem- 
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ory (32) by the initialising means wherein the in- 
itialising means activates the loading means; 
a main memory resident program image being 
stored in the protectable partition of the direct 
access storage device (62), the main memory resi- 
dent program image being read from the direct 
access storage device (62) into main memory (32) 
by the loading means to produce a main memory 
resident program; 

protection means for protecting the protectable par- 
tition of the direct access storage device (62), the 
protection means being activated by the main 
memory resident program to prevent unauthorized 
access to the loading means and the main memory 
resident program image. 

2. A computer system (10) as claimed in claim 1, 
wherein the read only memory (36) stores a first 
protion of BIOS, and wherein the main memory 
resident program image is a remaining portion of 
BIOS 

3. A computer system (10) as claimed in claim 2, 
wherein the loading means further includes a vali- 
dation means for confirming the system (10) is 
compatible with the main memory resident pro- 
gram. 

4. A computer system (10) as claimed in claim 2 or 
claim 3, wherein the loading means comprises a 
master boot record having an executable code 
segment for effecting the loading of the main mem- 
ory resident program, wherein the initialisation 
means transfers control to the executable code 
segment to effect the loading of the main memory 
resident program image into main memory (32). 

5. A computer system (10) as claimed in claim 1, 
wherein the initialisation means includes power on 
self test means, the power on self test means 
initializing and testing only those system functions 
necessary to load the main memory resident pro- 
gram. 

6. A computer system (10) as claimed in claim 5, 
wherein the power on self test means initializes the 
system processor (26) functions, memory sub- 
systems, and direct access storage device (62) 
subsystem. 

7. A computer system (10) as claimed in claim 3, 
wherein the validation means includes data repre- 
senting the type of system processor (26) and 
configuration of a system planar (24) coupled to 
the system processor (26). 

8. A computer system (10) as claimed in claim 2, 
wherein the at least one direct access storage 
device (62) comprises a fixed disk drive wherein 
the loading means loads data records from the 
fixed disk drive into main memory (32). 

9. A computer system (10) as claimed in claim 8, 
wherein the fixed disk drive includes a disk control- 
ler and further wherein the system processor (26) 
transfers data records to the disk controller in 



blocks being in a format which numbers the blocks 
sequentially, and further wherein the master boot 
record and the remaining portion of BIOS are effec- 
tively stored in the higher order numbered blocks. 

s 10. A computer system (10) as claimed in claim 9, 
wherein the protection means comprises setting a 
maximum block addressable, the maximum block 
addressable being the lowest order numbered 
block of the master boot record and remaining 

10 portion of BIOS, the projection means preventing 
access to blocks greater than or equal to the maxi- 
mum block addressable while permitting access to 
blocks less than the maximum block addressable. 
11. A computer system (10) as claimed in claim 

75 10, wherein the initialisation means initiates genera- 
tion of the reset signal in response to power being 
applied to the system (10). 

12 A computer system (10) as claimed in claim 10. 
wherein the initialisation means initiates generation 
20 of the reset signal in response to a reset condition 
being applied to the system (10). 

13. A computer system (10) as claimed in claim 4, 
wherein the master boot record further includes a 
data segment, the data segment representing a 

25 hardware configuration of the system (10) which is 
compatible with the master boot record, and 
wherein the read only memory (36) includes data 
representing a hardware configuration of the sys- 
tem processor (26), wherein before the remaining 

30 portion of BIOS is loaded into the main memory 
(32), the first portion of BIOS compares the hard- 
ware configuration data from the master boot 
record with the hardware configuration data from 
the read only memory (36) to verify the master 

35 boot record is compatible with the system proces- 
sor (26). 

14. A computer system (10) as claimed in claim 

13, wherein the data segment of the master boot 
record includes a value representing a system 

40 planar (24) which is compatible with the master 
boot record and further wherein the system planar 
(24) further includes a means for uniquely identify- 
ing the system planar (24) in order to verify that 
the master boot record is compatible to the system 

45 planar (24). 

15. A computer system (10) as claimed in claim 

14, wherein the hardware configuration data on the 
master boot record includes a model value and a 
submodel value, wherein the model value identifies 

so a system processor (26) which is compatible with 
the master boot record and the submodel value 
represent an I/O configuration of a system planar 
(24) which is compatible with the master boot 
record, and further wherein the read only memory 

55 (36) includes a corresponding model value identify- 
ing the system processor (26) and submodel value 
representing the I/O configuration of the system 
planar (24), wherein the model value and submodel 

15 
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value of the master boot record are compared to 
the corresponding model and submodel values of 
the read only memory (36) respectively, in order to 
verify that the master boot record is compatible 
with the system processor (26) and the I/O configu- 
ration of the system planar (24). 

16. A computer system (10) as claimed in claim 4 
further comprising a nonvolatile random access 
memory (58) being electrically coupled to the sys- 
tem processor (26), the nonvolatile random access 
memory (58) including data representing the sys- 
tem configuration, the data being updated when the 
configuration of the system (10) is changed, 
wherein the first portion of BIOS compares the data 
in the nonvolatile random access memory (58) to 
corresponding data in the read only memory (36) 
to determine if the configuration of the system (10) 
has changed. 

17. A computer system (10) as claimed in claim 4 
wherein the direct access storage device (62) com- 
prises a fixed disk. 

18. A computer system (10) as claimed in claim 

17, wherein the system processor (26) transfers 
data records to the disk controller in blocks being 
in a format which numbers the blocks sequentially, 
and further wherein the master boot record and the 
remaining portion of BIOS are effectively stored in 
the higher order numbered blocks. 

19. A computer system (10) as claimed in claim 

18, wherein the protection means comprises setting 
a maximum block addressable, the maximum block 
addressable being the lowest order numbered 
block of the master boot record and the remaining 
portion of BIOS, the protection means preventing 
access to blocks egual to greater than the maxi- 
mum block addressable while permitting access to 
blocks less than the maximum block addressable. 

20. Apparatus for preventing the unauthorised ac- 
cess of BIOS stored in a mass storage device (62) 
in a personal computer system (10) having a sys- 
tem processor (26), the mass storage device (62) 
capable of storing a plurality of data blocks defined 
between a first and second data block extreme, 
BIOS being accessible by the system processor 
(26) in the form of individual definable contiguous 
blocks of data. BIOS extending from a third data 
block extreme to a fourth data block extreme, the 
third and fourth extremes being bounded by the 
first and second extremes, the apparatus compris- 
ing: 

a controller device coupled between the system 
processor (26) and the mass storage device (62) 
for transforming an input or output request from the 
system processor (26) to physical characteristics of 
the mass storage device (62), the inpuVoutput re- 
quests being in the form of individual definable 
contiguous blocks of data; 

first logic means for initiating the generation of a 



reset signal; 

second logic means for generating a second signal 
for preventing access to the BIOS code; and 
protection means responsive to the reset signal for 

5 permitting access to the BIOS code, the protection 
means being responsive to the second signal for 
setting a boundary at the third data block to pre- 
vent access to the BIOS code during normal ex- 
ecution of authorized programs by the system pro- 

10 cessor (26). 

21. Apparatus as claimed in claim 20, wherein the 
mass storage device (62) comprises a fixed disk 
having input/output requests in the form of a cyl- 
inder, head and sector format, and further wherein 

is the controller converts from data block format to 
cylinder, head and sector format. 

22. Apparatus as claimed in claim 21, wherein the 
controller device includes a SCSI adapter card 
responsive to the system processor (26). 

20 23. Apparatus as claimed in claim 22, wherein the 
first logic means initiates generation of the reset 
signal in response to a power on condition for the 
system processor (26). 

24. Apparatus as claimed in claim 23, wherein the 
25 first logic means initiates generation of the reset 

signal in response to an input from a keyboard 
connected to the system (1 0). 

25. A method for protecting BIOS in a personal 
computer system (10), the system (10) including a 

30 system processor (26). a read only memory (36), a 
random access memory (32), 
and direct storage access device, the method com- 
prising the steps of: 

(a) storing a first portion of BIOS in the read 
35 only memory (36), the first portion of BIOS 

including means for initializing the system (10); 

(b) storing a master boot record and a remaining 
portion of BIOS in a protectable partition on the 
direct access storage device (62), the remaining 

40 portion of BIOS being resident in the random 
access memory (32) during normal operations of 
the system (1 0); 

(c) initializing the system (10) and initiating the 
generation of a reset signal being sent to the 

45 direct access storage device (62); 

(d) removing the protection to the protectable 
partition to permit the system processor (26) to 
access the master boot record and remaining 
portion of BIOS, the protection being removed in 

so response to the reset signal; 

(e) loading the master boot record into random 
access memory (32), the master boot record 
including an executable code segment; 

(f) transferring control to the executable code 
55 segment to load the remaining portion of BIOS 

into the random access memory (32); and 

(g) transferring control to the remaining portion 
of BIOS in random access memory (32), the 
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remaining portion of BIOS setting the protection 
on the protectable partition to prevent un- 
authorized access to the master boot record and 
the remaining portion of BIOS stored in the 
protectable partition on the direct access stor- s 
age device (62). 
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© Computer system with program protection apparatus. 



© An apparatus and method for protecting BIOS 
stored on a direct access storage device (62) into a 
personal computer system (10). The personal com- 
puter system (JO) comprises a system processor 
(26), a system planar (24) , a random access main 
memory (32), a read only memory (36), a protection 
means and at least one direct access storage device 
(62). The read only memory (36) includes a first 
portion of BIOS and data representing the type of 
system processor (26) and system planar (24) I/O 
configuration. The first portion of BIOS initializes the 
system (10) and the direct access storage device 
^ (62), and resets the protection means in order to 
(§§) read in a master boot record into the random access 
©§> memory (32) from a protectable partition on the 
direct access storage device (62). The master boot 
s= record includes a data segment and an executable 
code segment. The data segment includes data re- 
@ presenting system hardware and a system configu- 
_ ration which is supported by the master boot record, 
jyy The first BIOS portion confirms the master boot 



record is compatible with the system hardware by 
verifying that the data from the data segment of the 
master boot record agrees with the system proces- 
sor (26), system planar (24), and planar (24) I/O 
configuration. If the master boot record is compatible 
with the system hardware, the first BIOS portion 
vectors the system processor (26) to execute the 
executable code segment of the master boot record. 
The executable code segment confirms that the sys- 
tem configuration has not changed and loads in the 
remaining BIOS portion from the same protectable 
partition on the direct access storage device (62) 
into random access memory (32). The executable 
code segment then verifies the authenticity of the 
remaining BIOS portion and vectors the system pro- 
cessor (26) to begin executing the BIOS now in 
random access memory. BIOS, executing in random 
access memory (32), then activates the protection 
means to prevent further access to the protectable 
partition. BIOS boots up the operating system to 
begin operation of the personal computer system. 
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